1. ICO serves first fines: £100,000 and £60,000

The Information Commissioner issued two fines on 24 November, showing that it is willing to use its new power to penalise serious breaches of the Data Protection Act.

Hertfordshire County Council has been fined £100,000 for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case involved details of child sexual abuse, and the second details of care proceedings. The ICO, although having been informed of the breaches by the council, decided that this is the sort of breach where a monetary penalty was appropriate given that the Council did not learn from its mistakes: there was no appropriate action taken after the first incident to stop it from happening again.

The first misdirected fax was meant for barristers’ chambers and was sent to a member of the public. The council subsequently obtained a court injunction prohibiting any disclosure of the facts of the court case or circumstances of the data breach.

The second misdirected fax, sent 13 days later by another member of the council’s childcare litigation unit, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals’ opinions. The fax was mistakenly sent to barristers’ chambers unconnected with the case.

The employment services company A4e was fined £60,000 for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.

The data breach occurred when an employee took an unencrypted laptop to home. The laptop, which contained sensitive information, such as full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity, was subsequently stolen from the employee’s home.

A4e reported the incident to the ICO, which thought that a fine was appropriate given that access to the data could have caused substantial distress. A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop.

Information Commissioner, Christopher Graham, said:

“It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks. The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data”.

“These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds.”

Christopher Graham, the UK Information Commissioner, announced today that Alan Eustace, Senior Vice President, Google, based in Google’s California Headquarters, has signed an Undertaking, without any admission of liability regarding the company’s collection of Wi-Fi data as part of its StreetView service.

The Undertaking includes:

training

use of a privacy design document for engineers for every new project before it is launched

deletion of Wi-fi data collected in the UK as part of its Street View service

agreement that the ICO will conduct a full audit within nine months of Google’s internal privacy structure, privacy training programs and its system of privacy reviews for new products.

This “consensual” audit is certainly a high profile one and shows that the Commissioner is ready to use his persuasive powers with other companies.

As part of this arrangement, the Commissioner has closed his investigation and agreed to not impose an Enforcement Notice.

Does this Undertaking have international scope? Graham says: “It is a significant achievement to have an undertaking from a major multinational corporation like Google Inc. that extends to its global policies and not just its UK activities.” There is a reference to an ICO in-person inspection at the California HQ, but on studying the text of the Undertaking at www.ico.gov.uk/~/media/documents/library/Data_Protection/Notices/google_inc_undertaking.ashx there is no reference to the Undertaking extending to Google’s global policies. There is reference in Schedule 1 to the appointment of a “Director of Privacy across Engineering and Product Management” who will provide the ICO with details of this team’s “cross-functional privacy efforts across engineering, product management, compliance and internal audit functions.” But there is no specific reference to these initiatives being global in scope.

3. ICO’s first fine before the end of November

The Commissioner has now announced that he will impose his first civil monetary penalty or fine before the end of November.

4. Free Data Protection Act compliance audits now available

At the National Association of Data Protection Officers’ Annual Conference on 10th November, Christopher Graham announced that his office is offering a free audit service to data controllers who are reviewing their processes and procedures as part of their efforts to follow the ICO’s guidance and codes of practice. He now considers that his audit team is well trained and sufficiently resourced since his office is receiving more income from the new layered notification fees.

He also made it clear that if his office addresses questions to data controllers, he expects a reply within 28 days, and will serve an Information Notice if a data controller is unwilling to “engage with” his office. If the ICO considers that a controller’s procedures are “deficient” he may request that the organisation produces an “action plan” as a first step.

6. ICO changes its mind on Google Street View’s collection of Wi-Fi data and demands an Undertaking, training and a consensual audit

Google UK has received a request from the UK’s Information Commissioner to sign an Undertaking and will be audited over its collection of Wi-Fi data as part of its Street View service. Google must sign the Undertaking within 21 days to bring to the attention of management that data protection breaches should not occur again, or the company will face enforcement action, Information Commissioner Christopher Graham said on 3 November. Graham says a fine was not appropriate in this case, but it will apply if Google fails to comply with the Undertaking.

The ICO, having first decided that there was no breach of the Data Protection Act, has now come to a conclusion that the breach regarding collecting Wi-Fi data as part of Google’s Street View service was indeed significant.

The Undertaking specifies action points for Google. Google is to update orientation programs for Google employees, train employees on Google’s code of conduct, which includes sections on privacy, and enhance the core training for engineers.

In addition, Google needs to create an awareness program for Google employees and ensure that engineering project leaders maintain a privacy design document for each initiative they are working on. Also, Google has to delete UK Wi-Fi data collected as part of its Street View service.

The ICO is to conduct a consensual audit within nine months.

ICO’s change of heart follows results from investigations conducted by data protection authorities in several countries and Google’s admission that personal data had indeed been collected.

An ICO spokesperson said earlier this week:

“We must remain evidence based and although our enquiries, along with the enquiries of our international counterparts, are taking longer than many people might like, it is of paramount importance that we get our decision right in order to ensure the public can be confident that their long term privacy interests are being maintained.”

"It is also important to note that none of the regulators currently investigating Google Street View have taken direct enforcement action at this stage, with the US investigation led by the US Federal Trade Commission for example ruling out direct action, although mirroring our own concern that this data was allowed to be collected by an organisation who showed such disregard for international data protection legislation. This week the Metropolitan Police have also closed their case believing it would not be appropriate to pursue a criminal case against Google under the Regulation of Investigatory Powers Act (RIPA)."

However, Spain’s Data Protection Commission (AEDP) has launched an infringement proceeding against Google on its use of Wi-Fi networks location data. Possible fines vary from €60,000 to €600,000.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2010

Comments:

If you would like to comment on this article, please login or register.